You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Matthew Bachmann <mb...@google.com> on 2013/10/22 20:52:24 UTC
[users@httpd] wrong certs
I two virtual hosts on different ports specify different certificate files,
but use the same ServerName, both ports use the same certificate. Is this
expected behavior?
With this config:
Listen *:424 https
<VirtualHost *:424>
ServerName A
SSLCertificateFile 1.crt
</VirtualHost>
Listen *:444 https
<VirtualHost *:444>
ServerName A
SSLCertificateFile 2.crt
</VirtualHost>
connecting to either 424 or 444, I get cert 1.
With this config:
Listen *:424 https
<VirtualHost *:424>
ServerName A
SSLCertificateFile 1.crt
</VirtualHost>
Listen *:444 https
<VirtualHost *:444>
ServerName B
SSLCertificateFile 2.crt
</VirtualHost>
connecting to 424 gets me cert 1, and connecting to 444 gets me cert 2.
Re: [users@httpd] wrong certs
Posted by Matthew Bachmann <mb...@google.com>.
I am not using name based virtual hosts, so there is no SNI here.
On Thu, Oct 24, 2013 at 6:52 AM, Jan Vávra <va...@602.cz> wrote:
> This is not a bug but a SNI feature (
> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI).
> Check if you have not defined
> NameVirtualHost *:424
> NameVirtualHost *:444
> Jan.
>
>
>
> Try your same config but use A for the ServerName in both VirtualHost
> sections. Based on what I've seen, you should then get 1.crt from either
> port, and never get 2.crt, which seems like a bug.
>
>
> On Wed, Oct 23, 2013 at 3:14 AM, Jan Vávra <va...@602.cz> wrote:
>
>> Hello,
>> it is obvious you are using port based virtual host. My question was for
>> assuring you have configured basics well.
>> So I suppose you have:
>>
>>
>> Listen *:424 https
>> <VirtualHost *:424>
>> ServerName A
>> SSLCertificateFile 1.crt
>> *SSLCertificateKeyFile 1.key*
>>
>> #and probably also
>> SSLCertificateChainFile chain.crt
>>
>> </VirtualHost>
>>
>>
>> I have made a test and it works fine.
>> I do not use wildcards, I directly specify the IP address.
>>
>> Listen 424 https
>> Listen 444 https
>> <VirtualHost 192.168.1.211:424>
>> ServerName A
>> SSLCertificateFile 1.crt
>> SSLCertificateKeyFile 1.key
>> </VirtualHost>
>>
>> <VirtualHost 192.168.1.211:444>
>> ServerName B
>> SSLCertificateFile 2.crt
>> SSLCertificateKeyFile 2.key
>> </VirtualHost>
>>
>> and in my hosts file there are recors
>> 192.168.1.211 A
>> 192.168.1.211 B
>>
>> Try to call httpd -S. In my case it shows
>> VirtualHost configuration:
>> ....
>> 192.168.1.211:424 A (1.conf)
>> 192.168.1.211:444 B (2.conf)
>>
>> For A and B I use some real names eg. www.mycompany1.cz,
>> www.mycompany2.cz.
>>
>> Do you even know about name based virtual https host?
>> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>> Most clients support this and I use it in production.
>>
>> Jan
>>
>> The certificates are specified in port based virtual hosts, there is
>> no NameVirtualHost here. So I would expect the specified certificate to be
>> served on the corresponding port no matter what host header was passed.
>>
>>
>> On Tue, Oct 22, 2013 at 4:50 PM, Jan Vávra <va...@602.cz> wrote:
>>
>>> Hello.
>>> For sure have you not forgotten specifying option SSLCertificateKeyFile
>>> ?
>>> What is the url you are using?
>>> If you use https://localost:424 instead of https://a:424, you can get
>>> weird results.
>>>
>>> I can also try it, if your problem persists. My last several years is
>>> full of creating and using certificates ;-)
>>>
>>> Jan.
>>>
>>>
>>> I two virtual hosts on different ports specify different certificate
>>>> files, but use the same ServerName, both ports use the same certificate.
>>>> Is this expected behavior?
>>>>
>>>>
>>>> With this config:
>>>>
>>>> Listen *:424 https
>>>> <VirtualHost *:424>
>>>> ServerName A
>>>> SSLCertificateFile 1.crt
>>>> </VirtualHost>
>>>>
>>>> Listen *:444 https
>>>> <VirtualHost *:444>
>>>> ServerName A
>>>> SSLCertificateFile 2.crt
>>>> </VirtualHost>
>>>>
>>>> connecting to either 424 or 444, I get cert 1.
>>>>
>>>> With this config:
>>>>
>>>> Listen *:424 https
>>>> <VirtualHost *:424>
>>>> ServerName A
>>>> SSLCertificateFile 1.crt
>>>> </VirtualHost>
>>>>
>>>> Listen *:444 https
>>>> <VirtualHost *:444>
>>>> ServerName B
>>>> SSLCertificateFile 2.crt
>>>> </VirtualHost>
>>>>
>>>> connecting to 424 gets me cert 1, and connecting to 444 gets me cert 2.
>>>>
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>
>
>
Re: [users@httpd] wrong certs
Posted by Jan Vávra <va...@602.cz>.
This is not a bug but a SNI feature
(http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI).
Check if you have not defined
NameVirtualHost *:424
NameVirtualHost *:444
Jan.
> Try your same config but use A for the ServerName in both VirtualHost
> sections. Based on what I've seen, you should then get 1.crt from
> either port, and never get 2.crt, which seems like a bug.
>
>
> On Wed, Oct 23, 2013 at 3:14 AM, Jan Vávra <vavra@602.cz
> <ma...@602.cz>> wrote:
>
> Hello,
> it is obvious you are using port based virtual host. My question
> was for assuring you have configured basics well.
> So I suppose you have:
>
>
> Listen *:424 https
> <VirtualHost *:424>
> ServerName A
> SSLCertificateFile 1.crt
> *SSLCertificateKeyFile 1.key*
>
> #and probably also
> SSLCertificateChainFile chain.crt
>
> </VirtualHost>
>
>
> I have made a test and it works fine.
> I do not use wildcards, I directly specify the IP address.
>
> Listen 424 https
> Listen 444 https
> <VirtualHost 192.168.1.211:424 <http://192.168.1.211:424>>
> ServerName A
> SSLCertificateFile 1.crt
> SSLCertificateKeyFile 1.key
> </VirtualHost>
>
> <VirtualHost 192.168.1.211:444 <http://192.168.1.211:444>>
> ServerName B
> SSLCertificateFile 2.crt
> SSLCertificateKeyFile 2.key
> </VirtualHost>
>
> and in my hosts file there are recors
> 192.168.1.211 A
> 192.168.1.211 B
>
> Try to call httpd -S. In my case it shows
> VirtualHost configuration:
> ....
> 192.168.1.211:424 <http://192.168.1.211:424> A (1.conf)
> 192.168.1.211:444 <http://192.168.1.211:444> B (2.conf)
>
> For A and B I use some real names eg. www.mycompany1.cz
> <http://www.mycompany1.cz>, www.mycompany2.cz
> <http://www.mycompany2.cz>.
>
> Do you even know about name based virtual https host?
> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
> Most clients support this and I use it in production.
>
> Jan
>
>> The certificates are specified in port based virtual hosts, there
>> is no NameVirtualHost here. So I would expect the specified
>> certificate to be served on the corresponding port no matter what
>> host header was passed.
>>
>>
>> On Tue, Oct 22, 2013 at 4:50 PM, Jan Vávra <vavra@602.cz
>> <ma...@602.cz>> wrote:
>>
>> Hello.
>> For sure have you not forgotten specifying option
>> SSLCertificateKeyFile ?
>> What is the url you are using?
>> If you use https://localost:424 instead of https://a:424,
>> you can get weird results.
>>
>> I can also try it, if your problem persists. My last several
>> years is full of creating and using certificates ;-)
>>
>> Jan.
>>
>>
>> I two virtual hosts on different ports specify different
>> certificate files, but use the same ServerName, both
>> ports use the same certificate. Is this expected behavior?
>>
>>
>> With this config:
>>
>> Listen *:424 https
>> <VirtualHost *:424>
>> ServerName A
>> SSLCertificateFile 1.crt
>> </VirtualHost>
>>
>> Listen *:444 https
>> <VirtualHost *:444>
>> ServerName A
>> SSLCertificateFile 2.crt
>> </VirtualHost>
>>
>> connecting to either 424 or 444, I get cert 1.
>>
>> With this config:
>>
>> Listen *:424 https
>> <VirtualHost *:424>
>> ServerName A
>> SSLCertificateFile 1.crt
>> </VirtualHost>
>>
>> Listen *:444 https
>> <VirtualHost *:444>
>> ServerName B
>> SSLCertificateFile 2.crt
>> </VirtualHost>
>>
>> connecting to 424 gets me cert 1, and connecting to 444
>> gets me cert 2.
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> <ma...@httpd.apache.org>
>> For additional commands, e-mail: users-help@httpd.apache.org
>> <ma...@httpd.apache.org>
>>
>>
>
>
Re: [users@httpd] wrong certs
Posted by Matthew Bachmann <mb...@google.com>.
Try your same config but use A for the ServerName in both VirtualHost
sections. Based on what I've seen, you should then get 1.crt from either
port, and never get 2.crt, which seems like a bug.
On Wed, Oct 23, 2013 at 3:14 AM, Jan Vávra <va...@602.cz> wrote:
> Hello,
> it is obvious you are using port based virtual host. My question was for
> assuring you have configured basics well.
> So I suppose you have:
>
>
> Listen *:424 https
> <VirtualHost *:424>
> ServerName A
> SSLCertificateFile 1.crt
> *SSLCertificateKeyFile 1.key*
>
> #and probably also
> SSLCertificateChainFile chain.crt
>
> </VirtualHost>
>
>
> I have made a test and it works fine.
> I do not use wildcards, I directly specify the IP address.
>
> Listen 424 https
> Listen 444 https
> <VirtualHost 192.168.1.211:424>
> ServerName A
> SSLCertificateFile 1.crt
> SSLCertificateKeyFile 1.key
> </VirtualHost>
>
> <VirtualHost 192.168.1.211:444>
> ServerName B
> SSLCertificateFile 2.crt
> SSLCertificateKeyFile 2.key
> </VirtualHost>
>
> and in my hosts file there are recors
> 192.168.1.211 A
> 192.168.1.211 B
>
> Try to call httpd -S. In my case it shows
> VirtualHost configuration:
> ....
> 192.168.1.211:424 A (1.conf)
> 192.168.1.211:444 B (2.conf)
>
> For A and B I use some real names eg. www.mycompany1.cz, www.mycompany2.cz
> .
>
> Do you even know about name based virtual https host?
> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
> Most clients support this and I use it in production.
>
> Jan
>
> The certificates are specified in port based virtual hosts, there is no
> NameVirtualHost here. So I would expect the specified certificate to be
> served on the corresponding port no matter what host header was passed.
>
>
> On Tue, Oct 22, 2013 at 4:50 PM, Jan Vávra <va...@602.cz> wrote:
>
>> Hello.
>> For sure have you not forgotten specifying option SSLCertificateKeyFile
>> ?
>> What is the url you are using?
>> If you use https://localost:424 instead of https://a:424, you can get
>> weird results.
>>
>> I can also try it, if your problem persists. My last several years is
>> full of creating and using certificates ;-)
>>
>> Jan.
>>
>>
>> I two virtual hosts on different ports specify different certificate
>>> files, but use the same ServerName, both ports use the same certificate.
>>> Is this expected behavior?
>>>
>>>
>>> With this config:
>>>
>>> Listen *:424 https
>>> <VirtualHost *:424>
>>> ServerName A
>>> SSLCertificateFile 1.crt
>>> </VirtualHost>
>>>
>>> Listen *:444 https
>>> <VirtualHost *:444>
>>> ServerName A
>>> SSLCertificateFile 2.crt
>>> </VirtualHost>
>>>
>>> connecting to either 424 or 444, I get cert 1.
>>>
>>> With this config:
>>>
>>> Listen *:424 https
>>> <VirtualHost *:424>
>>> ServerName A
>>> SSLCertificateFile 1.crt
>>> </VirtualHost>
>>>
>>> Listen *:444 https
>>> <VirtualHost *:444>
>>> ServerName B
>>> SSLCertificateFile 2.crt
>>> </VirtualHost>
>>>
>>> connecting to 424 gets me cert 1, and connecting to 444 gets me cert 2.
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
Re: [users@httpd] wrong certs
Posted by Jan Vávra <va...@602.cz>.
Hello,
it is obvious you are using port based virtual host. My question was
for assuring you have configured basics well.
So I suppose you have:
Listen *:424 https
<VirtualHost *:424>
ServerName A
SSLCertificateFile 1.crt
*SSLCertificateKeyFile 1.key*
#and probably also
SSLCertificateChainFile chain.crt
</VirtualHost>
I have made a test and it works fine.
I do not use wildcards, I directly specify the IP address.
Listen 424 https
Listen 444 https
<VirtualHost 192.168.1.211:424>
ServerName A
SSLCertificateFile 1.crt
SSLCertificateKeyFile 1.key
</VirtualHost>
<VirtualHost 192.168.1.211:444>
ServerName B
SSLCertificateFile 2.crt
SSLCertificateKeyFile 2.key
</VirtualHost>
and in my hosts file there are recors
192.168.1.211 A
192.168.1.211 B
Try to call httpd -S. In my case it shows
VirtualHost configuration:
....
192.168.1.211:424 A (1.conf)
192.168.1.211:444 B (2.conf)
For A and B I use some real names eg. www.mycompany1.cz, www.mycompany2.cz.
Do you even know about name based virtual https host?
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Most clients support this and I use it in production.
Jan
> The certificates are specified in port based virtual hosts, there is
> no NameVirtualHost here. So I would expect the specified certificate
> to be served on the corresponding port no matter what host header was
> passed.
>
>
> On Tue, Oct 22, 2013 at 4:50 PM, Jan Vávra <vavra@602.cz
> <ma...@602.cz>> wrote:
>
> Hello.
> For sure have you not forgotten specifying option
> SSLCertificateKeyFile ?
> What is the url you are using?
> If you use https://localost:424 instead of https://a:424, you can
> get weird results.
>
> I can also try it, if your problem persists. My last several
> years is full of creating and using certificates ;-)
>
> Jan.
>
>
> I two virtual hosts on different ports specify different
> certificate files, but use the same ServerName, both ports use
> the same certificate. Is this expected behavior?
>
>
> With this config:
>
> Listen *:424 https
> <VirtualHost *:424>
> ServerName A
> SSLCertificateFile 1.crt
> </VirtualHost>
>
> Listen *:444 https
> <VirtualHost *:444>
> ServerName A
> SSLCertificateFile 2.crt
> </VirtualHost>
>
> connecting to either 424 or 444, I get cert 1.
>
> With this config:
>
> Listen *:424 https
> <VirtualHost *:424>
> ServerName A
> SSLCertificateFile 1.crt
> </VirtualHost>
>
> Listen *:444 https
> <VirtualHost *:444>
> ServerName B
> SSLCertificateFile 2.crt
> </VirtualHost>
>
> connecting to 424 gets me cert 1, and connecting to 444 gets
> me cert 2.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> <ma...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
> <ma...@httpd.apache.org>
>
>
Re: [users@httpd] wrong certs
Posted by Matthew Bachmann <mb...@google.com>.
The certificates are specified in port based virtual hosts, there is no
NameVirtualHost here. So I would expect the specified certificate to be
served on the corresponding port no matter what host header was passed.
On Tue, Oct 22, 2013 at 4:50 PM, Jan Vávra <va...@602.cz> wrote:
> Hello.
> For sure have you not forgotten specifying option SSLCertificateKeyFile ?
> What is the url you are using?
> If you use https://localost:424 instead of https://a:424, you can get
> weird results.
>
> I can also try it, if your problem persists. My last several years is
> full of creating and using certificates ;-)
>
> Jan.
>
>
> I two virtual hosts on different ports specify different certificate
>> files, but use the same ServerName, both ports use the same certificate.
>> Is this expected behavior?
>>
>>
>> With this config:
>>
>> Listen *:424 https
>> <VirtualHost *:424>
>> ServerName A
>> SSLCertificateFile 1.crt
>> </VirtualHost>
>>
>> Listen *:444 https
>> <VirtualHost *:444>
>> ServerName A
>> SSLCertificateFile 2.crt
>> </VirtualHost>
>>
>> connecting to either 424 or 444, I get cert 1.
>>
>> With this config:
>>
>> Listen *:424 https
>> <VirtualHost *:424>
>> ServerName A
>> SSLCertificateFile 1.crt
>> </VirtualHost>
>>
>> Listen *:444 https
>> <VirtualHost *:444>
>> ServerName B
>> SSLCertificateFile 2.crt
>> </VirtualHost>
>>
>> connecting to 424 gets me cert 1, and connecting to 444 gets me cert 2.
>>
>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.org<us...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] wrong certs
Posted by Jan Vávra <va...@602.cz>.
Hello.
For sure have you not forgotten specifying option SSLCertificateKeyFile ?
What is the url you are using?
If you use https://localost:424 instead of https://a:424, you can get
weird results.
I can also try it, if your problem persists. My last several years is
full of creating and using certificates ;-)
Jan.
> I two virtual hosts on different ports specify different certificate
> files, but use the same ServerName, both ports use the same
> certificate. Is this expected behavior?
>
>
> With this config:
>
> Listen *:424 https
> <VirtualHost *:424>
> ServerName A
> SSLCertificateFile 1.crt
> </VirtualHost>
>
> Listen *:444 https
> <VirtualHost *:444>
> ServerName A
> SSLCertificateFile 2.crt
> </VirtualHost>
>
> connecting to either 424 or 444, I get cert 1.
>
> With this config:
>
> Listen *:424 https
> <VirtualHost *:424>
> ServerName A
> SSLCertificateFile 1.crt
> </VirtualHost>
>
> Listen *:444 https
> <VirtualHost *:444>
> ServerName B
> SSLCertificateFile 2.crt
> </VirtualHost>
>
> connecting to 424 gets me cert 1, and connecting to 444 gets me cert 2.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org